Privacy Policy
Last updated: July 9, 2026
Effective date: July 9, 2026
Phase applicability: Phase 1 (non-health MVP) only. Will be replaced when Phase 3 health features launch.
1. Who We Are
PG Forge LLC ("Mindox," "we," "us," "our") operates the Mindox application and website at https://mindox.app. We are a California limited liability company (LLC) headquartered in San Jose, California.
Contact:
- Email: privacy@mindox.app
- Mail: PG Forge LLC, 171 Branham Ln Ste 10 POB 1045, San Jose, CA 95136
For questions about this policy, email privacy@mindox.app and we will respond within 30 days.
2. Information We Collect
We deliberately collect the minimum data needed to operate Mindox.
Important Phase 1 health-data notice: In Phase 1, Mindox is not a health product. We do not have a "MEDICAL" intent, no medical vault, no vitals tracking, no doctor-report features, and no integration with health platforms. Mindox is NOT a HIPAA Covered Entity or Business Associate in Phase 1 — we have no Business Associate Agreements (BAAs) with any healthcare provider or health plan, and we do not market Mindox as HIPAA-compliant.
If you choose to record voice notes about your health using Mindox in Phase 1, please be aware:
- Those notes are stored as general personal information, not as Protected Health Information (PHI) under HIPAA;
- We provide standard-SaaS security (encryption in transit and at rest, Row-Level Security, etc.) — not HIPAA-grade safeguards;
- We strongly recommend not entering medical information you consider especially sensitive until our Phase 3 Health Layer launches with full HIPAA compliance infrastructure (planned for 2027);
- Our internal systems may detect that a capture appears health-related (using simple keyword pattern matching) and tag it for the Phase 3 migration prompt — but no analysis, no medical features, and no health-specific UI applies until Phase 3.
State health-data laws (such as Washington's My Health My Data Act and similar emerging laws in other states) may apply to your health information regardless of HIPAA's narrower definition. We respect those laws and treat health-flagged content with appropriate caution.
2.1 Information you provide directly
| Category | Examples | Why we collect it |
|---|---|---|
| Account info | Email, password (hashed via bcrypt), display name (optional), age-13+ confirmation, locale, timezone, ToS + Privacy Policy version accepted (with timestamp) | To create and secure your account; comply with COPPA (we don't accept users under 13) |
| Voice recordings | Audio you record in the app | To transcribe and route into your notes; our systems are designed to delete audio from our servers within 60 seconds of successful transcription under normal operating conditions (up to 24 hours if a retry is needed after a failed transcription attempt), unless you explicitly enable optional 7-day raw-audio retention in Settings (default off; even then, audio is automatically deleted after 7 days — retention is never indefinite). In rare cases of service disruption, deletion may be briefly delayed; we monitor for this and remediate promptly — see §7 Security. |
| Transcripts | Text generated from your voice recordings | To populate your notes, reminders, media list, shopping list, and events list |
| Notes content | Text you type or speak — anything in MEDIA, REMINDER, NOTE, SHOPPING, EVENT categories | To provide the core Mindox service |
| Image captures | Receipts and other non-medical images you photograph | OCR + storage; encrypted at rest |
| Add-on pack purchases | Pack type, purchase timestamp, transaction ID from Apple/Google/Stripe (we never see card numbers) | To grant pack credits to your account |
| Subscription info | Plan tier (free/plus), billing status (handled by Apple, Google, or Stripe — we do not see card numbers) | To provision paid features |
| Achievement and engagement data | In-app milestone dates (e.g., first capture, 100th capture), completion streak length, monthly and annual usage counts (total captures, reminders completed, etc.) as used in recap cards | To display in-app achievements and recap summaries to you; never sold or used for advertising; deletable via account deletion |
| Support communications | Emails and messages you send us | To respond to your requests |
2.1a Sharing-recipient information
When you share a capture using Mindox's sharing feature (Path A: app-to-app share, or Path B: public URL), we additionally process limited data about the share recipient:
- Path A recipients (other Mindox users): the recipient's user ID, the share creation time, and whether they viewed it. Their existing Mindox account terms apply.
- Path B recipients (anyone with the public URL): when someone opens a shared URL, we log the request IP (truncated for privacy), user-agent, and timestamp for security and analytics — but we do NOT identify individuals. Recipients are not "users" of Mindox; we have no account or profile for them.
2.2 Sensitive data — automatic detection and redaction
Mindox automatically detects and redacts certain types of highly sensitive data when you save captures, even if you intended to save them. This includes:
- Credit / debit card numbers
- Social Security numbers (US) and similar government IDs
- Bank routing and account numbers
- API keys, passwords, and authentication credentials
When the system detects these patterns, it warns you before saving and replaces the sensitive substring with a [REDACTED:TYPE] marker. The original (unredacted) value is never stored on our servers — even if you confirm "save anyway."
We do this for your protection: if our database were ever compromised, your credit card numbers and government IDs would not be exposed because they were never stored. However, no automatic detection is perfect. You should not use Mindox to record:
- Credit / debit card numbers
- Social Security numbers or government IDs
- Banking account or routing numbers
- Passwords, PINs, or authentication credentials
If you do, our system will attempt to redact them, but you remain responsible for what you choose to record.
2.3 Analytics opt-out
We use a privacy-respecting analytics tool (PostHog) to measure aggregate product usage — what features are used, where users get stuck, what causes crashes. Analytics events never include capture content, voice transcripts, names, medication names, symptoms, or other sensitive details (see §7 Security and our threat model documentation for the full deny-list).
You can opt out of analytics at any time in Settings → Privacy → Analytics. Opting out does not affect any product feature; it only stops PostHog from receiving events from your device.
2.4 Admin / support access to your data
In rare cases, founder or support staff may need to access your data to resolve a support ticket. This access:
- Is gated by your explicit consent (in-app "Allow support to view my recent captures (next 24h)" toggle) OR a documented support ticket reference where you've requested help
- Is audit-logged with the admin user, the action taken, and a written reason
- Phase 3: requires additional re-authentication for any access to PHI in your medical vault
You can review admin access to your account by emailing privacy@mindox.app; we'll provide an extract of all admin-action audit log entries that pertain to your account.
2.5 Information collected automatically
| Category | Examples | Why |
|---|---|---|
| Device + app info | Device model, OS version, app version, language, timezone | Compatibility, debugging |
| Usage analytics | Feature usage counts, session length, crash reports (no content of notes) | Understand how the product is used; improve reliability |
| IP address | Logged briefly for rate limiting and security; not retained beyond 30 days | Security |
| Approximate location | Only if you grant location permission. Coarse city/zip-level only, never precise GPS. Used to enrich captures (e.g., link a reminder to a city). | Optional feature enrichment |
2.6 Information we do NOT collect in Phase 1
- No health data. Mindox in Phase 1 is not designed for medical use. We have no medical-vault, no vitals tracking, no doctor-report features.
- No biometric voice identification. We use your voice only for speech-to-text transcription. We do not create or store voiceprints, do not use voice for identity verification, and do not match your voice across accounts. (Note: we will revisit this in Phase 3 when health features ship; voice-biometric considerations under Illinois BIPA become more relevant if voiceprint matching is ever introduced.)
- No precise location. We never collect GPS-precise coordinates.
- No advertising identifiers. We do not use IDFA, AAID, or other ad identifiers. We run no advertising in Mindox.
- No third-party advertising trackers (no Meta Pixel, no Google Ads tags). We use only first-party analytics (PostHog, Sentry — see Section 5).
- No selling of personal information. Ever.
2.6a Sensitive documents we deliberately do NOT store
Mindox is a personal-capture app, not a document vault. We deliberately do not store certain categories of sensitive material even if you ask us to. The relevant Mindox features are designed to refuse, redact, or transform such inputs.
- Identity document images. We do not store photographs or scans of passports, driver's licenses, state IDs, military IDs, or any government-issued photo identification. Mindox has no "upload a photo of your ID" feature. Storing identity-document images would require us to operate identity-verification infrastructure that a personal-capture app is not designed for. Your actual documents belong in your wallet, your safe, or your phone's built-in wallet app — not in Mindox.
- Full government identification numbers. We do not store full passport numbers, full driver's license numbers, full Social Security Numbers, or similar. The Document Expiration Tracker feature accepts only the LAST 4 characters of a number — enough to help you recognize which document we're reminding you about ("your passport ending in ...3492 expires in 60 days") — and our system will not accept longer inputs.
- Voice-redaction of identity numbers. If you speak a full identity number into Mindox (for example: "my driver's license is D12345678, expires August 2027"), our automatic Sensitive Information Detection layer (see Section 2.2) is designed to redact the full number to its last 4 characters before storing or processing the capture. The original audio is also automatically deleted shortly after transcription. No automated detection system is perfect — if you believe sensitive information was stored in a way that bypassed this protection, contact privacy@mindox.app and we will investigate and delete it promptly upon verification.
- Full financial account numbers, card numbers, or banking credentials. Payments are handled by Stripe and the app store payment systems; we do not build features that ask for your full card number or banking information. If you accidentally speak these into a capture, our redaction layer is designed to treat them like government IDs (see the same caveat above regarding automated detection limits).
- Third parties' identifiable details. When you mention another person in a capture, we store what you said — but we do not build features to store another person's ID numbers, biometrics, or sensitive personal documents. Children's IDs, in particular, receive extra protection under applicable child privacy laws.
- Tax returns or legal documents with identifying party information. We do not have a feature to upload these.
The full architectural list of "what we do not store and why" is at Doc 3 §4.1a of our public engineering documentation, which we keep maintained as the canonical reference.
3. How We Use Your Information
We use your information to:
- Provide the Mindox service: store your captures, generate transcripts, classify notes into intents, populate your media/shopping/reminder/note lists, surface them when you search.
- Improve the service: aggregate, anonymized analytics about feature usage to understand what works.
- Maintain security: detect abuse, rate-limit Application Programming Interface (API) calls, debug crashes.
- Communicate with you: respond to support requests, send essential service emails (account confirmation, billing, security alerts). We do not send marketing emails by default — you must opt in.
- Comply with law: respond to lawful legal process.
We do not use your content to train Artificial Intelligence (AI) models — yours or anyone else's. Your captures are processed by AI models (currently OpenAI's GPT-4 family) for transcription and intent classification. OpenAI does not use API data to train its models by default — this is OpenAI's standard policy for all API traffic, requiring no special configuration on our part. We additionally configure every API call with OpenAI's store: false parameter, which disables OpenAI's optional organization-level call logging feature (a separate control from training exclusion). Independent of these settings, OpenAI may retain API inputs and outputs for up to 30 days for abuse-monitoring and safety purposes (not for training), after which they are deleted, consistent with OpenAI's standard API data policy. If we ever need to change how your content is used for any feature, we will notify you in advance and require explicit opt-in.
4. How We Share Your Information
We share data only with the categories of recipients below:
4.1 Service providers (subprocessors)
We use third-party service providers ("subprocessors") to operate Mindox. Each is bound by a contract that limits how they use your data.
Phase 1 subprocessors:
| Subprocessor | Role | Data shared | Location |
|---|---|---|---|
| Supabase (Supabase, Inc.) | Database, authentication, file storage | All your account data and notes content | US |
| OpenAI | Speech-to-text and language model classification | Audio + transcripts (not used for training, per OpenAI's standard API default; retained up to 30 days for abuse monitoring per OpenAI's standard policy) | US |
| Trigger.dev | Background jobs (e.g., scheduled reminders) | Reminder + capture metadata | US |
| Stripe | Subscription billing (web checkout) | Email, billing info (we never see card numbers) | US |
| Apple App Store | Subscription billing (iOS) | Apple-managed; we receive subscription status only | US/global |
| Google Play | Subscription billing (Android) | Google-managed; we receive subscription status only | US/global |
| Cloudflare | Domain Name System (DNS), edge security, anti-abuse | IP address, basic request metadata | US/global |
| Vercel | Web hosting (mindox.app) | IP address, basic request metadata | US/global |
| PostHog | Product analytics (no content of notes; just feature usage events) | Anonymized event data | US (or self-hosted EU option) |
| Sentry | Error tracking and crash reports | Crash stack traces + non-personal context | US |
A current list is maintained in our internal Subprocessor Registry. We will provide a copy on request to privacy@mindox.app.
4.2 Legal disclosures
We may disclose your information to comply with valid legal process (subpoenas, court orders) or to protect our rights, your safety, or the safety of others. We will challenge overbroad or improper requests where possible. We will notify you of any government request for your data unless legally prohibited.
4.3 Business transfers
If Mindox is acquired or merged, your information may transfer to the acquirer subject to this Privacy Policy. We will notify you in advance and give you the opportunity to delete your account before any transfer.
4.4 We do NOT sell or share your personal information for advertising
We do not sell your personal information. We do not share it for behavioral advertising. There are no advertisers in our supply chain.
4.5 Sharing you initiate (single-item sharing feature)
Mindox lets you share individual captures (a note, a movie, an event, a shopping item, a reminder) with other people. You choose when and what to share. We don't share your content with anyone without your explicit action.
Two ways to share:
- Share with another Mindox user ("Path A"): creates a deep link that opens in their Mindox app. They can save a copy to their own lists. Both of you are Mindox users bound by this Privacy Policy.
- Share via public link ("Path B"): generates a URL like
mindox.app/share/[random-token]that anyone with the URL can open in a web browser. They see your shared item read-only, with a "Get Mindox" invitation at the bottom.
What we collect about recipients of public links:
When someone opens a mindox.app/share/[token] URL, our edge infrastructure (Cloudflare + Vercel) processes the following transiently:
- Their IP address (retained ~24 hours in edge logs by default, then deleted)
- Their browser User-Agent string (retained ~24 hours in edge logs by default, then deleted)
- Their referrer header, if any (retained ~24 hours by default)
- The timestamp of their view (retained long-term as an anonymous view count — we do not tie it to any identifier)
Security and abuse investigation carve-out: separately from the ~24 hour default above, we maintain a restricted-access archive of the same edge log fields (IP, User-Agent, referrer) for up to 90 days, used solely to investigate suspected abuse of the sharing feature or a security incident — for example, if we discover evidence of scraping, credential-stuffing against share tokens, or another form of abuse that isn't identified within the first 24 hours. Access to this archive is limited to the founder / authorized security personnel and is never used for marketing, profiling, or any purpose other than security investigation, consistent with our Incident Response Plan.
We do not build profiles of share recipients, do not show ads to them, and do not retain any personally-identifying information about them beyond the retention windows described above. If the recipient never installs Mindox, we have no ongoing record of who they are.
Your responsibility when sharing:
- You are responsible for the content you share.
- Public links are public. Anyone with the URL can read the shared content. Treat public-link sharing accordingly.
- You can delete any share at any time from "My Shares" in the app. Deletion takes effect immediately — the link returns a "not found" error thereafter.
- Do not share content that infringes others' rights, violates the law, or that the other person has not consented to being shared. See our Terms of Service for the full sharing rules.
Rate limit: We rate-limit shares to 10 per user per 24 hours in Phase 1. This prevents abuse and keeps the feature healthy for all users.
5. Your Privacy Rights
5.1 California (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we have collected about you in the past 12 months.
- Access a copy of your personal information.
- Delete your personal information (subject to limited legal exceptions — e.g., billing records we must retain).
- Correct inaccurate personal information.
- Limit Use of Sensitive Personal Information — though as noted, we collect minimal sensitive PI in Phase 1.
- Opt out of sale or sharing — though as noted, we do not sell or share for cross-context behavioral advertising.
- Non-discrimination for exercising your rights.
To exercise these rights, email privacy@mindox.app. We will respond within 45 days (with a one-time extension to 90 days if needed). We may need to verify your identity before responding (typically by confirming you can access the email on the account).
You can also use a verified authorized agent. The agent must provide signed authorization.
5.2 Other US states
Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, and other states with consumer privacy laws have similar rights. We honor them under the same workflow as California requests. Email privacy@mindox.app.
5.3 European Union, United Kingdom, and other regions
Mindox is currently a US-only product in Phase 1. If we expand to the EU/UK, we will update this policy with General Data Protection Regulation (GDPR) and UK GDPR-specific terms (legal bases, EU representative, data transfer mechanisms, etc.).
5.4 "Do Not Sell or Share My Personal Information"
Because Mindox does not sell or share personal information for cross-context behavioral advertising (see §4.4), there is no personal information to opt out of selling or sharing. This statement itself serves as our CCPA/CPRA-required disclosure — no separate opt-out mechanism is needed because there is nothing to opt out of. If our data practices ever change to include selling or sharing personal information, we will update this policy in advance and implement a functional opt-out link at that time, consistent with our practice of requiring your explicit opt-in before any such change (§3, "If we ever need to change how your content is used").
6. Data Retention
| Category | Retention |
|---|---|
| Account info | While your account is active. After account closure: 30-day soft-delete grace during which you can email support to restore; then deleted. |
| Voice recordings (audio files) | Designed to be deleted from our servers within 60 seconds of successful transcription under normal operating conditions (or within 24 hours if a retry was needed after a failed transcription attempt), unless you explicitly enable optional 7-day raw-audio retention in Settings. Enabling retention counts toward your account's storage allowance, and even then audio is automatically deleted after 7 days — retention is never indefinite. In rare cases of service disruption, deletion may be briefly delayed; this is monitored internally and remediated promptly. |
| Transcripts and notes | While your account is active. Deleted as part of hard-deletion at the end of the 30-day soft-delete grace period (see "Account closure flow" below) — not an additional 30 days beyond that. |
| Image captures (receipts, etc.) | While your account is active. Deleted as part of hard-deletion at the end of the 30-day soft-delete grace period (see "Account closure flow" below) — not an additional 30 days beyond that. |
| Subscription / billing records | 7 years for tax purposes (US) — required by law. |
| Add-on pack purchase records | 7 years for tax purposes. |
| Application logs (errors, info events) | 90 days hot; 1 year cold storage; deleted thereafter. Personal content is never logged (see §7). |
| Access logs (HTTP requests, including public-link views) | ~24 hours by default (Vercel/Cloudflare's own edge log window — see §4.5); up to 90 days in a restricted-access security archive (Cloudflare Logpush → R2), used solely to investigate suspected abuse or a security incident. IP addresses truncated in the default logs. |
| Auth event logs (sign-in, password reset, etc.) | 2 years from event. |
| Security audit logs (account actions, security events) | 2 years from event in Phase 1; will extend to 6 years in Phase 3 per HIPAA when health features ship. Retained even after account deletion as required by law and security best practice. |
| IP address (in security logs) | Up to 90 days (aligned with the security-investigation archive above); truncated to /24 (IPv4) or /48 (IPv6) for privacy. |
| Analytics events (non-content, PostHog) | 13 months, then aggregated and deleted. You can opt out at any time in Settings → Privacy. |
| Support communications | 3 years from last contact. |
| Crash reports (Sentry) | 90 days. PII automatically scrubbed. |
Account closure flow:
- You initiate account deletion in Settings → Account → Delete Account or by emailing privacy@mindox.app.
- Your account is immediately marked for deletion. You are signed out of all devices.
- 30-day grace period: during this window, you can email support to restore your account.
- After 30 days, hard deletion runs: profile + all captures + audio + images + share records + linked subscriptions are permanently deleted.
- Subscription / billing records and audit logs are retained per the legal-retention rules above.
- We will confirm deletion via email when it completes.
7. Security
We use industry-standard technical and organizational measures, documented in our internal threat model and reviewed regularly:
In transit:
- All data encrypted via Transport Layer Security (TLS) 1.2 minimum, TLS 1.3 preferred.
- Modern, authenticated cipher suites (AES-GCM, ChaCha20-Poly1305) are prioritized in TLS negotiation; older cipher suites are progressively phased out as our infrastructure allows.
- Certificate pinning in our mobile apps to prevent man-in-the-middle attacks on hostile Wi-Fi.
- HTTP Strict Transport Security (HSTS) on the web app.
At rest:
- All databases and storage encrypted at rest (AES-256, managed by our cloud providers).
- Backups encrypted; access logged.
- Phase 1: standard at-rest encryption applies. Phase 3 (when health features ship) adds per-user envelope encryption with keys held in AWS Key Management Service (KMS) for medical data.
Access control:
- Database access limited via Row-Level Security (RLS) — your data is isolated per account, enforced at the database layer.
- Service accounts use least-privilege roles.
- Founder is the sole employee in Phase 1, with two-factor authentication on all production systems.
- No production database access from personal devices.
- Audit log records all privileged operations.
Secure development:
- Regular automated dependency security scans (Snyk, Dependabot).
- Secrets never committed to version control (Gitleaks in CI).
- Pull-request review with security-checklist enforcement.
- Logs are filtered to prevent accidental capture of personal content (passwords, capture body text, voice transcripts, encryption keys, full IPs are never logged).
Incident response:
- Documented incident response plan with defined classification, escalation, and notification procedures.
- We will notify you within 72 hours of any confirmed breach affecting your data, as required by California law and other applicable regulations.
User-side responsibilities:
- Use trusted networks for sensitive captures.
- Keep your device operating system up to date.
- Don't use rooted/jailbroken devices for sensitive content.
- Don't install untrusted certificate authorities (TLS interception requires this).
No system is perfectly secure. If you believe your account has been compromised, email security@mindox.app immediately.
7.0a Authentication and account security — biometric unlock and passkeys
Mindox offers biometric authentication and passkey signin as convenience options for signing in. We want to be precise about how these work, because confusion is common.
Biometric unlock on mobile (iPhone, iPad, Android phones, Android tablets):
If your device has Face ID, Touch ID, or Android fingerprint/face unlock set up, you can use it to unlock Mindox after signing in once with your password. This is a local convenience layer that sits on top of your normal sign-in.
- Mindox does not have access to, store, or transmit any biometric data.
- All biometric processing happens entirely on your device, by your device's operating system.
- We receive only a confirmation from your operating system that authentication succeeded — never the actual face scan, fingerprint, or biometric template.
- Apple's Secure Enclave (iPhone, iPad, Mac with Touch ID) and Android's Trusted Execution Environment (TEE) are hardware-isolated areas of your device that handle this — they're invisible to apps including Mindox.
- If you disable Face ID or Touch ID in your device's Settings, or use a different device, no Mindox data is affected — you'll just be asked for your password instead.
- You can disable biometric unlock for Mindox specifically in Mindox Settings → Privacy & Security → Biometric Unlock.
Passkey signin on web (Mac, Windows, Chromebook, etc.):
If your computer supports passkeys (Touch ID on Mac, Windows Hello on Windows, hardware security keys like YubiKey, etc.), you can register a passkey and sign in to Mindox without a password.
- A passkey is a cryptographic credential. The private part of the credential stays on your device's secure hardware (Secure Enclave, TPM, hardware key, etc.) and never leaves it.
- When you sign in, your device proves to Mindox that you have the private key, without ever revealing it. We only see a cryptographic signature.
- Mindox does not have access to, store, or transmit any biometric data used to unlock your passkey. That biometric (your face, fingerprint, etc.) is used by your device's operating system to authorize the cryptographic signing operation — it never reaches Mindox.
- You can register multiple passkeys (one per device) and manage them in Mindox Settings → Security → Passkeys.
- Removing a passkey in Mindox Settings invalidates it on our side immediately.
- If you lose all your passkey-enabled devices, you can still sign in with your email and password.
What this means for biometric privacy laws:
Mindox is not a "collector" or "possessor" of biometric data under any US state biometric privacy law (including Illinois's Biometric Information Privacy Act). This is because we do not collect, capture, purchase, receive, or otherwise obtain any biometric identifier — we receive only a boolean confirmation (from biometric unlock) or a cryptographic assertion (from passkey signin). The biometric data itself stays on your device, processed by your operating system.
This is the same analysis that applies to every iOS and Android app that uses Face ID, Touch ID, fingerprint unlock, or platform-authenticator passkeys.
Apple, Google, and Microsoft are not Mindox subprocessors for biometric authentication. Your device's operating system is processing this data on your behalf (not on Mindox's behalf), so it does not appear in our subprocessor registry.
Voice is a separate matter — Mindox processes your voice only to transcribe what you said. We do not create or store voiceprints, and we do not use voice for identity verification. See Section 2.6 for our list of things we explicitly do NOT collect.
7.1 If a security incident affects your data — how we'll notify you
If we ever discover a security incident affecting your data, we will:
- Notify you within 60 days of discovery (sooner if state law requires — California, Washington, and other states have shorter timelines for unencrypted personal information).
- Use three channels to maximize the chance the notice reaches you:
- In-app banner + modal — the next time you open Mindox, you'll see a non-dismissible notice about the incident. This is always sent for affected users.
- Email — if we have your email and the law applies (Phase 3 PHI: only with your prior consent to electronic notice; Phase 1 personal data: based on signup email by default per state breach-notification law). Subject line will identify it as a security notice.
- Public website notice at mindox.app/security-notice — a public page describing what happened, what data was affected, what you should do, and what we're doing in response. This is always posted as a backup channel.
- Include the required information: what happened, when we discovered it, what types of data were affected, what you can do to protect yourself, what we're doing in response, and how to contact us with questions (security@mindox.app + a toll-free number we'll provision for the incident window).
- Notify regulators as required by law: HHS (for Phase 3 PHI breaches affecting 500+ users) and state attorneys general (per state-specific requirements; California, Washington, New York, and others have their own notification requirements).
We do not collect physical addresses at signup, so paper-mail notification is not part of our default. If you specifically prefer paper mail, you can email privacy@mindox.app to update your contact preference.
We will never delay notifying you because we're "still investigating." The 60-day clock starts when we discover the incident, not when our investigation is complete. If we know who's affected and what was involved, we tell you — even if root-cause analysis is ongoing.
8. Cookies and Similar Technologies (Web)
The Mindox website uses minimal cookies:
- Strictly necessary (auth session, CSRF protection): always active.
- Functional (remember your preferences): active by default; you can disable.
- Analytics (PostHog, anonymized): you can opt out via the cookie banner.
We do not use advertising cookies, retargeting pixels, or third-party trackers.
9. Children
Mindox is not directed to children under 13 and we do not knowingly collect personal information from anyone under 13. At signup, we ask you to confirm you are 13 or older. This complies with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §6501-6506).
If you are between 13 and 18 (or whatever the age of majority in your jurisdiction is), you may use Mindox only with permission from a parent or legal guardian. Please review this Privacy Policy and our Terms of Service with them.
Children's information captured by parents: in Phase 2, Mindox lets parents track their children's information (school calendar, allergies, emergency contacts) inside the parent's own account. This data belongs to the parent's account; the child does NOT have a Mindox account of their own. Parents are responsible for what they capture about their children. Children's health data (growth measurements, vaccinations, pediatrician visits) is not supported until Phase 3 with HIPAA infrastructure.
Discovery + removal: if you believe a child under 13 has provided personal information directly to Mindox, please email privacy@mindox.app. We will promptly delete the information and close the account. We do not require additional documentation beyond a credible report.
In some jurisdictions (EU, parts of US) the age threshold for consent is 16 or higher; users below that age must have parental consent.
10. International Data Transfers
In Phase 1, Mindox primarily serves US users. Our subprocessors (Supabase, OpenAI, etc.) are US-based. If you access Mindox from outside the US, your data may be transferred to and stored on US servers, which may have different privacy protections than your home country.
11. Changes to This Policy
We will update this policy as our product and regulations evolve. Material changes (new categories of data collection, new sharing, narrowing of your rights) will be communicated by email and an in-app notification at least 30 days before they take effect.
The most significant planned change is the Phase 3 update when health features launch — we will publish a new Privacy Policy with HIPAA, BIPA, MHMDA, and FTC Health Breach Notification Rule sections at that time, and we will require your explicit re-consent before processing any health information.
12. Contact Us
Email: privacy@mindox.app
Mail: PG Forge LLC, 171 Branham Ln Ste 10 POB 1045, San Jose, CA 95136
Privacy Officer: The founder is the designated Privacy contact in Phase 1.
We will respond to all privacy inquiries within 30 days.